Tomography increases key rates of quantum-key-distribution protocol^ 
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We construct a practically implementable cleissical processing for the BB84 protocol and the six- 
state protocol that fully utilizes the accurate channel estimation method, which is also known as 
the quantum tomography. Our proposed processing yields at least as high key rate as the standard 
processing by Shor and Preskill. We show two examples of quantum channels over which the key rate 
of our proposed processing is strictly higher than the standard processing. In the second example, 
the BB84 protocol with our proposed processing yields a positive key rate even though the so-called 
error rate is higher than the 25% limit. 

PACS numbers: 03.67.Dd, 89.70.-a, 03.65.Wj 
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I. INTRODUCTION 

Quantum key distribution (QKD) has attracted great 
attention as an unconditionally secure key distribution 
scheme. The fundamental feature of QKD protocols is 
that the amount of information gained by an eavesdrop- 
per, usually referred to as Eve, can be estimated from the 
channel between the legitimate sender and the receiver, 
usually referred to as Alice and Bob respectively. Such 
a task cannot be conducted in classical key distribution 
schemes. If the estimated amount is lower than a thresh- 
old, then Alice and Bob determine the length of a secret 
key from the estimated amount of Eve's information, and 
can share a secret key by performing the information rec- 
onciliation (error corr ection) [l|,[3 and the privacy ampli- 
fication 0, Since the key rate, which is the length of 
securely sharable key per channel use, is one of the most 
important criteria for the efficiency of QKD protocols, 
the estimation of the channel is of primary importance. 

In this paper, we only treat the BB84 protocol Q and 
the six-state protocol [5[, and we mean the BB84 pro- 
tocol and the six-state protocol by the QKD protocols 
throughout the paper. Furthermore, a classical process- 
ing consists of a procedure to determine a key rate from 
a channel estimate and a procedure for the information 
reconciliation and the privacy amplification. 

Mathematically, quantum channels are described by 
trace preserving completely positive (TPCP) maps [6|. 
Conventionally in the QKD protocols, we only use the 
statistics of matched measurement outcomes, which are 
transmitted and received by the same basis, to estimate 
the TPCP map describing the quantum channel; mis- 
matched measurement outcomes, which are transmitted 



and received by different bases, are discarded in the con- 
ventionally used channel estimation methods. By using 
the statistics of mismatched measurement outcomes in 
addition to that of matched measurement outcomes, we 
can estimate the TPCP map more accurately than the 
conventional estimation method. Such an accurate chan- 
nel estimation method is also known as the quantum to- 
mography 0,0]. In early 90s, Barnett et al. Q showed 
that the use of mismatched measurement outcomes en- 
ables Alice and Bob to detect the presence of Eve with 
higher probability for the so-called intercept and resend 
attack. Furthermore, some literatures use the accurate 
estimation method to ensure the channel to be a Pauli 
channel [l^, [HI, [H, [13 , where a Pauli channel is a chan- 
nel over which four kinds of Pauli errors (including the 
identity) occur probabilistically. However the channel is 
not necessarily a Pauli channel. 

The use of the accurate channel estimation method 
in a classical processing has a potential to improve the 
key rates of previously known classical processing. How- 
ever, there is no proposed practically implementable clas- 
sical processing that fully utilizes the accurate estimation 
method. Recently, Renner et al. [l3,[lE,[lBl developed in- 
formation theoretical techniques to prove the security of 
the QKD protocols. Their proof techniques can be used 
to prove the security of the QKD protocols with a classi- 
cal processing that fully utilizes the accurate estimation 
method. However they only considered Pauli channels or 
partial twirled channels^. For Pauli channels, the accu- 
rate estimation method and the conventional estimation 
method make no difference. 

In this paper, we construct a practically implementable 
classical processing that fully utilizes the accurate chan- 
nel estimation method. More precisely, we present a pro- 
cedure to determine a key rate based on the accurate 
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channel estimate for the BB84 protocol and the six-state 
protocol respectively. Then we also present a practically 
implementable procedure for the information reconcilia- 
tion and the privacy amplification in which we can share 
a secret key at the determined key rate. Note that we 
only change the classical processing of the QKD proto- 
cols, and the method of the transmission and reception 
of quantum systems in the QKD protocols remain un- 
changed. 

Although it is straight forward to determine a key rate 
from the accurate channel estimate for the six-state pro- 
tocol, it is subtle how to determine a key rate from the 
accurate channel estimate for the BB84 protocol. More 
specifically, we can obtain only partial parameters de- 
scribing the channel, and there remain some free param- 
eters. Thus we have to consider the worst case, i.e., the 
key rate that is minimized over the free parameters. We 
shall show an explicit procedure to determine the mini- 
mized key rate. 

Our proposed processing yields at least as high key rate 
as the standard processing by Shor and Preskill As 
examples, we show that the key rate of our proposed clas- 
sical processing is strictly higher than that of the stan- 
dard processing for the amplitude damping channel and 
the rotation channel, which are unitary channel that ro- 
tate the Bloch sphere in the z-x plane. In the example 
of the amplitude damping channel, we show that the key 
rate of the so-called reverse reconciliation^, in which the 
key is generated based on Bob's bit sequence, is higher 
than the key rate of the direct reconciliation, in which the 
key is generated based on Alice's bit sequence'^. In the 
example of the rotation channel, we solve a problem left 
open in [2^ . Section 5] — the problem whether it is possi- 
ble to obtain positive key rates from both matched mea- 
surement outcomes and mismatched measurement out- 
comes for the BB84 protocol. 

It is believed that we cannot share any secret key if 
the so-called error rate is higher than the 25% limit in 
the BB84 protocol [11]. However Curty et al. ^ sug- 
gested that, for some asymmetric error patterns, it might 
be possible to share a secret key even for the error rates 
above the 25% limit. In the example of the rotation chan- 
nel, we show that we can actually obtain a positive key 
rate even though the error rate is higher than the 25% 
limit. 

Devetak and Winter [2^ also showed the key rate for- 
mula that coincide with the key rate formula shown by 
Renner et al. [3 if we know the channel exactly. 

By combining our proposed procedure to determine a key 
rate based on the accurate channel estimate and Deve- 
tak and Winter's procedure for the information reconcil- 



^ The reverse reconciliation was originally proposed by Maurer Il9ll 

in the classical key agreement. 
^ For QKD protocols with weak coherent states, literatures |20| . |21| 

already pointed out that the key rate of the direct reconciliation 

and the reverse reconciliation are different. 



iation and the privacy amplification, we can obtain the 
same key rate as in this paper. However the procedure 
for the information reconciliation and the privacy ampli- 
fication shown by Devetak and Winter is not practically 
implementable . 

Our proposed information reconciliation can be imple- 
mented by any efficie ntly decodeable linear code for the 
Slepian-Wolf coding [2y]. For example, we can use the 
low density parity check matrix (LDPC) code [27{ . 

The rest of this paper is organized as follows: We 
first present a procedure for the information reconcili- 
ation and the privacy amplification in Section [Til Then 
we present a procedure to determine a key rate from the 
estimate of the channel in Section IIIII We consider the 
amplitude damping channel, the unital channel, and the 
rotation channel as examples, and show that the key rate 
of our proposed processing is higher than the standard 
processing in Section [TVl We state the conclusion in Sec- 
tion |Vl 

In this paper, we mainly consider standard procedures 
for the information reconciliation and the privacy ampli- 
fication with one-way classical communication, i.e., we do 
not treat, except in Remarks [51 and [TUl the noisy prepro- 
cessing [IJ, |lg nor a procedure with two-way classical 
communication [23l. [2^. However, our results in this pa- 
per can be easily extended to procedures with the noisy 
preprocessing and two-way classical communication (see 
Remark [TT|) . 



II. INFORMATION RECONCILIATION AND 
PRIVACY AMPLIFICATION 

We construct practical procedure for the information 
reconciliation and the privacy amplification in this sec- 
tion. We first describe our proposed procedure with gen- 
eral linear codes and the maximum a posteriori probabil- 
ity (MAP) decoding. Then as an example of efhciently 
decodeable linear code, we show how to apply the sum- 
product algorithm of the low density parity check matrix 
(LDPC) code^ to our proposed procedure in Remark [5l 

For the simplicity we assume that Eve's attack is the 
collective attack^, i.e., the channel connecting Alice and 
Bob is given by tensor products of a channel £b from a 
qubit density matrix to itself. As is usual in QKD litera- 
tures, we assume that Eve can access all the environment 
of channel £b', the channel to the environment is denoted 
by £e- 



* It should be noted that the application of the LDPC codes for 
classical key agreement protocols has been considered by Mura- 
matsu [29II . in which he uses the LDPC code as the Slepian-Wolf 
source coding. 

^ This assumption is not essential. By using the de Finetti repre- 
sentation arguments Il5l ISOll , our result can be extended to the 
coherent attack. 
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In the six-state protocol, AHcc randomly sends bit or 
1 to Bob by modulating it into a transmission basis that is 
randomly chosen from the z-basis {|0z), |lz)}, the x-basis 
{|0x), |lx)}, or the y-basis {|0y), |ly)}, where |0a), |la> are 
eigenstates of the Pauli matrix for a € {x, y, z} respec- 
tively. Then Bob randomly chooses one of measurement 
observables CTx, fy, and CTz, and converts a measurement 
result -1-1 or —1 into a bit or 1 respectively. After a 
sufficient number of transmissions, Alice and Bob pub- 
licly announce their transmission bases and measurement 
observables. They also announce a part of their bit se- 
quences for estimating channel Eb- Note that Alice and 
Bob do not discard mismatched measurement outcomes, 
which are transmitted and received by different bases, to 
estimate the channel accurately. 

In the BB84 protocol, Alice only uses z-basis and x- 
basis to transmit the bit sequence, and Bob only uses 
observable CTz and (Tx to receive the bit sequence. 

Henceforth, we only treat Alice's bit sequence x G F2 
that is transmitted in z-basis and corresponding Bob's 
bit sequence y £ F2 that is received in (Tz-measurement, 
where F2 is the finite field of order 2. Furthermore, we 
occasionally omit the subscripts {x, y, z} of bases, and 
the basis {|0), |1)} is regarded as z-basis unless otherwise 
stated. Since the pair of sequences (x, y) is transmitted 
and received in z-basis, they are independently identically 
distributed according to 

PxY{x.y) ■.^\{y.\£B{W)kx^\)W). (1) 

Note that the distribution Pxy can be estimated from 
the statistics of the sample bits that are transmitted by 
z-basis and received by cTz-observable. 

Before describing our proposed procedure, we should 
review the basic facts of linear codes. An [n, n — m] clas- 
sical linear code C is an (n — TO)-dimensional linear sub- 
space of F2 , and its parity check matrix M is an ?7i x n 
matrix of rank m with 0, 1 entries such that Mc = for 
any codeword c G C. By using these preparations, our 
proposed procedure is described as follows. 

(i) Alice calculates syndrome t := A/x, and sends it to 
Bob over the public channel. 

(ii) Bob decodes (y, t) into estimate x of x by using the 
maximum a posteriori probability (MAP) decod- 
ing. More precisely. Bob selects x e Fj such that 
Afx = t and a posteriori probability PJ|y(x|y) is 
maximized (if there exist tied sequences, then he 
selects the smallest one with respect to the lexi- 
cographic order), where PV;^\y '^'^ "-^^ product 
distribution of Px\y ■ 

(iii) Alice randomly choose a hash function / : F2 
Sn from a set of universal hash functions [3l|, and 
sends the choice to Bob over the public channel. 
Then Alice and Bob's final keys are sa '■— /(x) 
and SB '■= /(x) respectively. 



If we set the rate of syndrome as 
m 

- > H{X\Y), (2) 

then there exists a linear code in the LDPC codes such 
that Bob's decoding error probability is arbitrary small 
for sufficiently large n [H, Theorem 2], where H{X\Y) 
is the conditional entropy with respect to the joint prob- 
ability distribution Pxv [l^. Note that the base of a 
logarithm and a (conditional) entropy are 2 throughout 
the paper. 

The key rate, ^ log |iS„|, is determined according to the 
results of privacy amplification [Tsl . Corollary 3.3.7 and 
Lemma 6.4.1]. Let 

HpiX\E) := H{pxe) - H{pe) 

be the conditional von Neumann entropy with respect to 
density matrix J2xe¥2 k\^){x\'^£E{\x){x\), where 

H{p) is the von Neumann entropy for a density matrix 
p. If the key rate satisfies 

1 Tn 

-\og\Sn\<H,{X\E)--, (3) 
n n 

then the final key 5*^1 is secure in the sense of the trace 
distance^. More precisely, the density matrix, psaTFE", 
which describes Alice's final key Sa, the publicly trans- 
mitted syndrome T and hash function F, and the state 
in Eve's system E^, satisfies 

WPSaTFE" - PS® /OTFB" II < £ 

for arbitrary small e and sufficiently large n, where ps := 
5I/se5 J5~fl*)('^l density matrix that describes the 

uniformly distributed key on Sn- From Eqs. ^ and ([3]), 
we find that 

Hp{X\E)~H{X\Y) (4) 

is a secure key rate. 

Note that the conditional von Neumann entropy 
Hp{X\E) can be calculated from the channel £b as 
follows. Since system X is classical, we can rewrite 
HipxE) = H{X) +J:.^^AH{£e{\x){x\)). Noting 
that H{£e{\x){x\)) = H{£b{\x){x\)) and H{pe) = 
i7((id (E) £b){'>P)) for the maximally entangled state 
IV') J2xe¥2 ^l^)!''^)' Eve's ambiguity for Alice's bit, 
Hp{X\E), can be calculated from the channel £b- How 
to determine Eve's ambiguity Hp{X\E) from a estimate 
of the channel is discussed in the next section. 

Remark 1 If we use the conventionally used method [H, 
[33 | for decoding x. the rate of syndrome — cannot be as 



® The trace norm of a matrix A is defined by ||j4|| := TrV A* A. 
Then the trace distance between two matrices A and B is defined 
by ||A - B\\. 
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small as the right hand side of Eq. ([2]). Thus, the key 
rate in Eq. ^ cannot be achieved. Define a probability 
distribution on F2 as 



Pwiw) J2 Pyiy)Px\Y{y + w\y). 



(5) 



y&2 



Then the error w := x + y between Alice and Bob's 
sequence is distributed according to P^. In the con- 
ventional method. Bob calculates the difference of syn- 
dromes, t + My, and selects the error w such that 
M-w = t + My and the likelihood of the error (w) is 
maximized. Then , the estimate for Alice's sequence is 
X = y + w. The rate of syndrome have to be larger than 
H{W) for the decoding error probability to be small. By 
the log-sum inequality [ssj and Eq. we have 

H{X\Y) 



.ttw, Px\Y{x\y) 
PYiy)Px\Y{y + w\y)log 



PY{y) 



= H{W). 



PYiy)Px\Yiy + w\y) 



Pwiw) 



Thus, the key rate in Eq. (|4|) cannot be achieved by the 
conventional decoding method unless Px\y{w\0) equals 
Px\y{^ + w\l) for any ui £ F2. 

Remark 2 By switching the role of Alice and Bob, we 
obtain a classical processing that achieves the key rate 



HpiY\E)-H{Y\X). 



(6) 



Such a procedure is usually called the reverse reconcilia- 
tion. On the other hand the original procedure is usually 
called the direct reconciliation. The reverse reconcilia- 
tion was originally proposed by Maurer in the classical 
key agreement context 

Note that we can calculate the conditional von Neu- 
mann entropy Hp{Y\E) = H{pye) — PI{pe) from the 
channel £b as follows. Let ipABE be a purification of 
(id (g) £b )(?/'), and let pbe ■= ^rAli^ABE]- Then, the 
density matrix pys is derived by measurement on Bob's 
system, i.e., 

PYE= Y^\y'^^y\ ® ^^PBEi\y){y\ ® I)- 



In Section HVAl we shall show that the key rate of the 
reverse reconciliation can be higher than that of the di- 
rect reconciliation. The fact that the key rate of the 
direct reconciliation and the reverse reconciliation are 
different is already pointed out for QKD protocols with 
weak coherent states [20, . 



Remark 3 We used the MAP decoding instead of the 
maximum likelihood (ML) decoding in our procedure, 
because the MAP decoding minimizes the decoding error 
probability, and the MAP decoding is different from the 
ML decoding for the reverse reconciliation. In the ML 
decoding for the reverse reconciliation, Alice selects y g 
F2 such that My equals the syndrome t = My, and 
that the likelihood PjJ|y(x|y) is maximized. Since the 
prior probability of Bob's sequence y is not necessarily 
the uniform distribution, the ML decoding and the MAP 
decoding are not necessarily equivalent, i.e., 



argmaxPJ|y(x|y) 

y:My=t 

does not hold in general. 



argmaxPy|x(y|x) 

y:Afy=t 



Remark 4 By modifying our proposed procedure as fol- 
lows, we obtain a procedure in which Alice and Bob can 
share a secret key from Alice's sequence x that is trans- 
mitted by z-basis and corresponding Bob's sequence y 
that is received by (Jx-measurement. Since (x, y) are in- 
dependently identically distributed according to 



1 



PxY'ix,y) := 7r(2/x|'^^B(|a;z)(a;z|)|yx), 



(7) 



we replace Px\y in Step ([u]) with Px\y'- ^ similar 
arguments as in the original procedure, the secure key 
rate of the modified procedure is given by 



Hp{X\E)~H{X\Y'). 



(8) 



In Section IIV B| we shall show an example in which 
Alice and Bob can share secret keys both from matched 
measurement outcomes and mismatched measurement 
outcomes, i.e., both Eqs. @ and ([8]) are positive. 

Remark 5 The sum product algorithm can be used in 
Step ([u]) of our proposed procedure as follows. For a 
given sequence y G , and a syndrome t G F™, define a 
function 



p*{±) ■.= \lPx\Y{i,\y,)X{^ 



fc=i 



eeN{k} 



(9) 



where N{k) := {j \ Mkj = 1} for the parity check matrix 
M, and ![•] is the indicator function. The function P* (x) 
is the non-normalized a posteriori probability distribu- 
tion on F2 given y and t. The sum-product algorithm 
is a method to (approximately) calculate the marginal a 
posteriori probability, i.e.. 



p;ixj) 



The definition of a posteriori probability in Eq. ^ is 
the only difference between the decoding for the Slepian- 
Wolf source coding and that for the channel coding. More 
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precisely, we replace [35|, Eq. (47.6)] with Eq. and use 
the algorithm in [s^, Section 47.3]. The above procedure 
is a generalization of [IB] , and a special case of [13] . 

In QKD protocols we should minimize the block error 
probability rather than the bit error probability, because 
a bit error might propagate to other bits after the privacy 
amplification. Although the sum-product algorithm is 
designed to minimize the bit error probability, it is known 
by computer simulations that the algorithm makes the 
block error probability small [sH] . 

III. PROCEDURE FOR CHANNEL 
ESTIMATION 

In this section we show procedures to estimate Eve's 
ambiguity Hp{X\E) for the six-state protocol and the 
BB84 protocol. We first present general preliminaries 
in Section IIII Al Then we show procedures for the six- 
state protocol and the BB84 protocol in Sections IIII Bl 
and IIII CI respectively. In Section IIII Dl we clarify the 
relation between our proposed procedures for estimating 
Hp{X\E) and the conventional ones. 

Although we explain the procedures to estimate 
Hp{X\E) for the direct reconciliation, the estimation of 
Hp(Y\E) for the reverse reconciliation can be done in a 
similar manner. 



A. Preliminaries 

In the Stokes parameterization, the qubit channel £b 
can be described by the affine map parameterized by 12 
real parameters [H, [3§] : 



'z 




Rzz Rzx Rzy 




9. 






X 




Rxz Rxx Rxy 






+ 




y 




Ryz Ryx Ryy 




9y 




ty 



where {9z,0x,0y) describes a vector in the Bloch sphere 
[^. For the channel £b and each pair of bases (a, b) G 
{z,x, y}^, define the biases of the outputs as 

QabO (OblfB(10a)(Oal)10b)-(lblfB(10a)(Oal)llb), 
Qabl := (lblfB(lla)(lal)llb) -(Obl£s(lla)(lal)10b). 

Then, a straight forward calculation shows the relations 

Rha = 2^QahO + Qahl), t^, — ^iQ ~ Q abl) ■ (H) 

The qubit channel £b can be also described by the 
Choi matrix pab '■= (id <S~) £b){,'4') [13 for the maximally 
entangled state IV)) = ^(10)10) -I- Jl)]!)). By using the 
parameters in Eq. (jlOp . we can write the Choi matrix 
PAB as 



1 + i?zz + t 
i?zx + iR, 



tx — iRyz — ity 



Rxx + -Rvv ~ i-Ryx + i-Rx 



Rxz + ^x + 1-Ryz + l^y 
1 - i?zz - tz 
-Rxx — -Ryy + i^yx + i^x 
— i?zx — i-Rzv 



^^zx — i^: 



zy 



i?x 



^xx y ^ Ryx 1 -^xy 



- i?yy 

— i?z> 



1 - Rzz + tz 
-Rxz + tx + iRyz 



iR 

— Rxy + tx — iRy 
l + Rz. 



iRyx 1-Rxy 



zy 



itv 



(12) 



t. 



where i is the imaginary unit. 



tween pab and pab is minimized^. 



Six-state protocol 



An ad-hoc approach to estimate Eve's ambiguity in the 
six-state protocol is very simple, because all parameters 
can be estimated from the statistics of sampled bits [3, ■ 



(iii) Alice and Bob calculate an estimator Hp{X\E) for 
Eve's ambiguity Hp{X\E). 

The validity of this estimation procedure is shown as 
follows. Since the estimators in Step (P converge to the 
true parameters in probability as the number of sampled 
bits goes to the infinity, the matrix pab also converges^ 
to PAB ■ Then the Choi matrix pab also converges to the 



(i) By using the statistics of sampled bits and the re- 
lation in Eq. (|lip . Alice and Bob calculate the esti- 
mate {R,t) for the parameters of the channel £b- 

(ii) By using Eq. ^2]) , Alice and Bob calculate the cor- 
responding matrix pab- If the resulting matrix 
Pab is not a Choi matrix, Alice and Bob select a 
Choi matrix pab such that the Frobenius norm be- 



^ This step can be implemented, for example, by the convex op- 
timization |41|| because the set of all Choi matrices is a closed 
convex set. For more detail, see Appendix [E1 

* When we consider a convergence of a density matrix, the conver- 
gence is with respect to the trace distance. On the other-hand, 
when we consider a convergence of parameters, we use the Eu- 
clidean distance. If estimated parameters converges to the true 
values, then the resulting matrix also converges to the true one, 
because the convergence of the Frobenius norm and that of the 
trace norm are equivalent. 
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Pab- Since the conditional entropy is a continuous func- 
tion, the estimator Hp{X\E) in Step ([m]) also converges 
to Hp{X\E) in probability as the number of sampled bits 
goes to the infinity. 



C. BB84 protocol 

The estimation of Hp{X\E) in the BB84 protocol 
is much more complicated. When Alice and Bob 
only use z-basis and x-basis, the statistics of the in- 
put and the output are irrelevant to the parameters 
{Rzy, Rxy, Ryz, Ryx, Ryy,ty)- Thus, we Can only estimate 
the parameters uj — (i?zz, ^zx, ^xz, -Rxx, ^z, ^x), and we 
have to consider the worst case for the parameters w, 
i.e., 



i^M:= i-mn Hp^{X\E), 



(13) 



where V'{uj) is the set of all parameters t = 
i,yy, ty) such that the parameters to 



i^Rzy: Rxy^ -^yz; Ryx: Ry 

and T constitute a qubit channel, and pr is the Choi 
matrix corresponding to the parameter r^. 

By using the following proposition, which is proved in 
Appcndix|Bl wc can make the desired function F(lu) into 
a simpler form. 

Proposition 1 The minimization in Eq. (fT3l) is achieved 
when the parameters, i?zy, -Rxy, -Ryz, ^yx, and ty, arc 0. 

The number of free parameters has been reduced to 1 by 
Proposition [T] Thus the problem is rewritten as looking 
for an estimator of 



F{lu)^ min Hp„ {X\E), 



(14) 



(ii) If ■P(il') is the empty set, then Alice and Bob find 
the point lu such that i2) is closest (in Euclidean 
distance) to cD and 'P(a)) is not an empty set^". 

(iii) Alice and Bob calculate an estimator F{uj) for Eve's 
(worst-case) ambiguity F{uj). 

The validity of this estimation procedure can be shown as 
follows. The estimator Co converges to the true value uj in 
probability. The estimator a) also converges to uj, because 
— < j|ci) — a;||, which implies — a;|| < 2||a) — by 
the triangle inequality. Thus the following lemma, which 
is proved in Appendix [Cl guarantees that the estimator 
-F(a)) converges to the desired quantity F{uj) in proba- 
bility as the number of sampled bits goes to the infinity. 



Lemma 1 The function F{uj) is a continuous function 

of UJ. 

Although wc showed a procedure to exactly estimate 
Eve's worst case ambiguity so far, it is worthwhile to show 
a closed form lower bound on Eve's worst case ambiguity, 
which will be proved in Appendix [Dl 

Proposition 2 Let and dx be the singular values of 
the matrix 



-^zz -^zx 
-^xz -^xx 



(15) 



Then, we have 



F{uj) > l-h 



l + ^Rl + Rl 



(16) 



where V{uj) is the set of parameters Ryy such that the pa- 
rameters UJ and Ryy constitute a qubit channel when other 
parameters are all 0, and pn^^ is the Choi matrix corre- 
sponding to the parameter Ryy. Since the range V{uj) 
of the remaining free parameter Ryy is a closed interval 
and Hp{X\E) is a convex function (sec Lemma [5]), the 
minimization in F{uj) is achieved at the boundary point 
of the range of Ryy or at the zero point of the derivative 
of Hp{X\E) with respect to Ryy. 

An ad-hoc approach to find an estimator is as follows. 

(i) By using the statistics of sampled bits and the re- 
lation in Eq. pT|) . Alice and Bob calculate the es- 
timate Lv for the parameters uj. 



where h{-) is the binary entropy function. The equality 
holds if tz = ^x = 0- 

Remark 6 For the reverse reconciliation, the worst case 
of Eve's ambiguity Hp{Y\E) is lower bounded by the 
right hand side of Eq. (fT6|) in which Rxz is replaced by 
i?zx- 

Remark 7 The right hand side of Eq. (|16p is further 
lower bounded by 1 - h{{l - i?xx)/2). Since (1 - i?xx)/2 
equals to the so-called phase error rate Px (see Eq. (HZ])), 
the right hand side of Eq. (|16|) is a lower bound on Eve's 
worst case ambiguity that is tighter than the well known 
bound 1 - h{Px) 



It should be noted that there are some other papers |42l . l43l . 
|44| that consider the situation in which we have to estimate a 
channel from partially estimated parameters as above. However, 
the methods in these papers cannot be used in our problem. 



This step can be implemented, for example, by the convex op- 
timization [4l| because the set of all ujs such that 'P{d>) is not 
empty is a closed convex set. For more detail, see Appendix lEl 
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Remark 8 We described estimation methods for Eve's 
ambiguity Hp{X\E) based on the channel estimation 
method so-called linear inversion [i^ in Section UlI Bl and 
in this section. It is well-known that the maximum likeli- 
hood (ML) channel estimator has smaller estimation er- 
ror than the linear inversion [i^. An algorithm for ML 
channel estimation has been proposed [i^, H^, 113] , how- 
ever, its convergence as a numerical algorithm has not 
been proved. The absence of a convergence proof pre- 
vents us from using that algorithm in the QKD protocols 
that require a rigorous proof of the convergence of an 
estimator. 

The computation of the ML channel estimate in the 
six-state protocol is a convex optimization problem. Be- 
cause the set of Choi matrices is a closed convex set de- 
fined by equality constraints and generalized inequality 
constraints [4lj and the log-likelihood function is a con- 
cave function of Choi matrices for given measurement 
outcomes. Therefore, the interior point method [4l[, for 
example, can compute the ML estimate with convergence 
guarantee. For the BB84 protocol, the domain of log- 
likelihood function is narrowed to real Choi matrices by 
Proposition[l]that is also a closed convex set, and the pa- 
rameter Ryy remains undetermined as well as the linear 
inversion because the log-likelihood function is indepen- 
dent of Ryy. The rest of parameters can be computed 
by a convex optimization algorithm. If we are allowed to 
use enough computation time for sophisticated channel 
estimation procedures, then it may be better to use the 
ML channel estimation. 



D. Relation to the conventional estimation 
procedure 

In this section, we show the relation between Eve's 
ambiguity Hp{X\E) that is estimated by our proposed 
procedures and that estimated by the conventional pro- 
cedures. 

In the conventional procedure to estimate Hp{X\E) in 
the six-state protocol [ij] , we first estimate the so called 
the error rate for each basis: 



(lz|fi3(|0z>(0.|)|l.) + (0.|£:s(|lz>(lz|)|0z 



(lx|gB(|Ox)(Ox|)|lx) + (Ox|gB(|lx)(lx|)|Ox) ^^^^ 
p _ (ly|gB(|0y)(0y|)|ly) + (0y|gi3(|ly)(ly|)|0y) 

^y - 2 

Then, wc calculate the worst case of Eve's ambiguity 
min Hp(X\E) in which the minimization is taken over 
the set of all channels that are compatible with the es- 
timates of the error rates {Pz, Px, Py)- Since we estimate 
the actual channel instead of the worst case, Eve's ambi- 
guity estimated by our procedure is at least as large as 
that estimated by the conventional one. 

In the conventional procedure to estimate Hp{X\E) in 
the BB84 protocol, wc first estimate Pz and P^. Then we 



calculate the worst case of Eve's ambiguity min Hp{X\E) 
in which the minimization is taken over the set of all 
channels that are compatible with the estimates of the 
error rates (Pz,Px)- The minimum is given by the well 
known value 1 — /i(Px) [ij. Since the error rates (Pz, Px) 
are degraded version of the parameters w, the range of 
minimization in the conventional procedure is larger than 
'P{uj) in our proposed procedure. Thus, Eve's worst case 
ambiguity estimated by our proposed procedure is at 
least as large as that estimated by the conventional one. 

For both the six-state protocol and the BB84 proto- 
col, a sufficient condition such that Eve's worst case am- 
biguity estimated by our proposed procedure and that 
estimated by the conventional one coincide is that the 
channel £b is a Pauli channel. However, it is not clear 
whether the condition is also a necessary condition or 
not. 

Combining the arguments in this section and Remark 
[1] we find that our proposed classical processing yields 
at least as high key rate as the standard processing by 
Shor and Preskill [l^l for the QKD protocols. 



IV. EXAMPLES 

In this section, we calculate the key rates of the BB84 
protocol and the six-state protocol with our proposed 
classical processing for the amplitude damping channel, 
the unital channel, and the rotation channel, and clarify 
that the key rate of our proposed classical processing is 
higher than previously known ones. 



A. Amplitude damping channel 

In the Stokes parameterization, the amplitude damp- 
ing channel £p is given by the afinc map 



z 




'l-p " 




0. 




p 


X 


1 — > 


y/l-p 






+ 





y 




^/l-p 




6y 








(18) 



parameterized by a real parameter < p < 1. 

We first calculate the key rate for the BB84 protocol. 
In the BB84 protocol, we can estimate the parameters 

Pz 



1 - P, Pzx = 0, Px 



0, Px 



P, 



tx 

p„ 



0. By the proposition [H we can set Pzy = P 



t-xy 



-Pyx ^y 0" 



Furthermore, by the condition on 



the TPCP map [3£ 

(Px 



Ryyf < (1 - Pzz)' - tl 



we can decide the remaining parameter as Ryy = ^/l — p. 
Thus, Eve's (worst-case) ambiguity F(uj) for the BB84 
protocol coincide with the true value Hp{X\E), which 
means that the BB84 protocol can achieve the same key 
rate as the six-state protocol. 
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FIG. 1: (Color online) Comparison of the key rates against 
the parameter p of the amplitude damping channel (see 
Eq. (HI}). "Reverse" and "Direct" are the key rates when we 
use the reverse reconciliation and the direct reconciliation in 
our proposed classical processing respectively. "Conventional 
six-state" and "Conventional BB84" are the key rates of the 
six-state protocol and the BB84 protocol with the conven- 
tional classical processing. Note that the conventional classi- 
cal processing involves the noisy preprocessing [3, [l^ . 



By straightforward calculations, the key rates of the 
direct reconciliation and reverse reconciliation are calcu- 
lated as 



i + ^Mp)-/^(f 



i+p. 



1 



i+p 



and 



l+p\ l+p 



h 



respectively. These key rates are plotted in Fig. [TJ 
The Bell diagonal entries of the Choi matrix (id 



£p)ixlj) are i(2 + 2^1^ - p), \p, \{2 - 2^ 



P-P), 



and jp. The key rate of the six-state protocol and the 
BB84 protocol with the conventional processing can be 
calculated only from the Bell diagonal entries, and are 
also plotted in Fig. [TJ 

We find that the key rates of our proposed classical 
processing are higher than those of the conventional pro- 
cessing. Furthermore, we find that the key rate of the 
reverse reconciliation is higher than that of the direct 
reconciliation. 

Remark 9 When the channel is degradable [i^, i.e., 
there exists a channel V such that £e{p) = ° £b{p) 
for any input p, the quantum wiretap channel capacity 
[4^ is known to be achievable without any auxiliary ran- 
dom variable [50l |. 

For the one-way key agreement from a degradable 
(from Alice to Bob and Eve) {ccg}-state, which is a state 

PXYE 



j:,,yPxY{x,y)\x){x\<E)\y){ 



there exist states {/3|;}y satisfying J2y PY\x{y\x)p^E 



p^'^ such that 



pI; := PY\x{y\x)p^^ , a similar statement also holds, 
namely the key rate in Eq. (j4]) cannot be improved with 
any auxiliary random variable. The use of auxiliary ran- 
dom variable for the key agreement corresponds to the 
noisy preprocessing TJ, 16l |. 

The above statement is proved as follows. Since we 
are considering the information reconciliation and the 
privacy amplification with one-way classical communi- 
cation, key rates only depend on distribution Pxy and 
{cgj-state pxE- Thus the maximum key rate for pxYE 
is equals to that for degraded version of it, pxYE ■= 
Y.x.,y PxY{x,y)\x){x\ ® \y){y\ ® p%. On the other hand 
the (quantum) intrinsic information 

Ip{X;Y iE) ■.= MIpiX;Y\E') 

is an upper bound on the maximum key rate (sTj , where 
Ip{X;Y\E') := HpiXE) + Hp{YE)-HpiXYE)-Hp{E) 
is the quantum conditional mutual information, and the 
infimum is taken over all {ccg}-states pxYE' = (id ® 
Ne-*e')[pxye) for CPTP maps Me^e' from system E 
to E' . Taking the identity map ids, the quantum condi- 
tional mutual information Ip{X;Y\E) itself is an upper 
bound on the maximum key rate. Applying this fact for 
the degraded {ccgj-state, pxye, the maximum key rate 
is upper bounded by 

Ip{X;Y\E) 
= Ip{X;YE)-Ip{X;E) 
= Hp{X\E) - H{X\Y) + Ip{X-E\Y) 
= Hp{X\E)-H{X\Y), 

which is the desired upper bound, and is equal to Eq. ([¥]). 

When Alice randomly sends {|Oz),|lz)} over the am- 
plitude damping channel and Bob measures the re- 
ceived state by a-^ observable, the resulting {ccg}-state is 
degradable^^, which implies the key rate of direct recon- 
ciliation cannot be improved by the noisy preprocessing. 
It is not clear whether the {cc^/j-state for the amplitude 
damping channel is degradable in reverse order; there 
exists a possibility to improve the key rate of reverse rec- 
onciliation by the noisy preprocessing. 



B. Unital channel and rotation channel 

A channel £3 is called a unital channel if the vector 
(iz,tx,ty) is the zero vector in the Stokes parameteriza- 
tion (see Eq. pO|) ). or cquivalently if the channel £b maps 
the completely mixed state 1/2 to itself. The unital chan- 
nel has the following physical meaning in QKD protocols. 
When Eve conducts the Pauli cloning [53| with respect 
to an orthonormal basis that is a rotated version of {|0z). 



The fact that amplitude damping channel is degradable has been 
shown in [521 • 
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|lz)}. the quantum channel from Ahce to Bob is not a 
Pauh channel but a unital channel. It is natural to as- 
sume that Eve cannot determine the direction of the ba- 
sis {|0z), |lz)} accurately, and the unital channel deserve 
consideration in the QKD research as well as the Pauli 
channel. 

By the singular value decomposition, we can decom- 
pose the matrix R in Eq. (jTU]) as 



O2 



ez 
ex 
ev 



(19) 



where Oi and O2 are some rotation matrices"'^^, and |ez|, 
|ex|, and |ey| are the singular value of the matrix R^^. 
Thus, we can consider the unital channel £b as the com- 
position of the unitary channel Sqi : the Pauli channel 

gi-^ q]g + qz(Tzg(Jz + ^xO'xfi'crx + qyCTygay, 
and the unitary channel £02 j where 



1y 
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+ ez 


+ ex 


+ Cy 






4 
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+ ez 


- Gx 


-Cy 






4 
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- Gz 


+ ex 


-Cy 






4 
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- Gz 


- Cx 
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For the unital channel, we have H{X\Y) = H{Y\X) ^ 
h{{\ + i?zz)/2). For the six-state protocol, we can calcu- 
late Eve's ambiguity Hp{X\E) as 



1 - iJ[gi,gz,'7x,gy] + h 



Rl + Rl 



(20) 



because {q\, qz,qx,qy) are the eigenvalues of the Choi ma- 
trix pab- For the reverse reconciliation, Eve's ambi- 
guity Hp{Y\E) is given by Eq. ((20l) in which i?xz and 
i?yz are replaced by iZzx and i?zy respectively. Thus, 
R^, + R^„ = R^^ + is the necessary and sufficient 



"yz ^zx ' "'zy 

condition for Hp{X\E) 



Hp{Y\E). For the BB84 



protocol, we can calculate Eve's worst case ambiguity 
F{uj) by Proposition [5] because <z = ^x = for the 
unital channel. Note that the singular values (dz, c?x) 
in Proposition [5] are different from the singular values 



The rotation matrix is the real orthogonal matrix with determi- 
nant 1. 

The decomposition is not unique because we can change the or- 
der of (ezjExjEy) or the sign of them by adjusting the rotation 
matrices Oi and O2. However, the result in this paper does not 
depends on a choice of the decomposition. 



(|ez|, |ex|) in general because there exist off-diagonal ele- 
ments {Rzy , Rxy , Ryz, Ryx) ■ From RemarklHl i?xz = -^zx 
the necessary and sufficient condition for that Eve's worst 
case ambiguity for the direct reconciliation and that for 
the reverse reconciliation coincide. 

In the rest of this section, we analyze a special class of 
the unital channel, the rotation channel. We define the 
rotation channel from Alice to Bob as 



cos "i? — sin 
sin d cos d 
1 



The rotation channels occur, for example, when the direc- 
tions of the transmitter and the receiver are not properly 
aligned. 

For the rotation channel, Eq. ^TE\\ gives F{uj) = 1, 
which implies that Eve gained no information. Thus, 
Eve's (worst-case) ambiguity for the BB84 protocol co- 
incide with the true value Hp{X\E), and the BB84 pro- 
tocol with our proposed classical processing can achieve 
the same key rate as the six-state protocol. 

There are two reasons why we show this example — the 
rotation channel. The first one is that we can obtain se- 
cret keys, in the BB84 protocol, both from matched mea- 
surement outcomes, which are transmitted and received 
by the same basis (say z-basis) , and mismatched measure- 
ment outcomes, which are transmitted and received by 
different bases (say z-basis and x-basis respectively). The 
probability distributions of Alice and Bob's bit for each 
case are given by Px|y(l|0) = Px|f(0|1) = sin2(t?/2) 
and Px\Y'{m = Px\Y'{0\l) = sm''{d/2 - tt/4) respec- 
tively (see Eqs. ([T|) and ([7]) for the definitions of Pxy and 
PxY')- If the channel is biased, i.e., -d ^ 0, 7r/2, tt, 37r/2, 
then we can obtain secret keys with positive key rates 
both from matched measurement outcomes and mis- 
matched measurement outcomes. This fact solves an 
open problem discussed in [2^ . Section 5] . 

The second reason is that we can obtain a secret key 
from matched measurement outcomes even thou gh the 
so called error rate is higher than the 25% limit [2^ in 
the BB84 protocol. The Bell diagonal entries of the Choi 
matrix are cos^(??/2), 0, 0, and sin^(i?/2). Thus the 
error rate is sin^('i?/2). For n/3 < 1} < Stt/S, the error 
rate is higher than 25%, but we can obtain the positive 
key rate, 1 - ft.(sin^(i?/2)) except i!) = 7r/2,37r/2. Note 
that the key rate of the standard processing by Shor and 
PreskiU ^ is l-2h{sm^{d/2)). This fact verifies Curty 
et al's suggestion that key agreement might be pos- 
sible even for the error rates higher than 25% limits. 



Remark 10 If the {ccQ'l-state pxYE is degraded (from 
Alice to Bob and Eve), i.e., the {ccgj-state is of the form 
PXYE = Y.x,yPxY{x,y)\x){x\(»\y){y\(»p'%, then we can 
prove that the key rate in Eq. ^ cannot be improved 
even if we use any noisy preprocessing or two-way pro- 
cessing. The reason is that the upper bound Ip{X; Y\E) 
and the lower bound in Eq. ([¥]) coincide for the degraded 
{ccgj-state in a similar manner to Remark [51 
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For the rotation channel 5^, the resulting {ccgj-state 
is obviously degraded. Thus the key rate 1 — /i(sin^(i?/2)) 
cannot be improved any more. 



V. CONCLUSION 

In this paper, we constructed a practically imple- 
mentable classical processing for the BB84 protocol and 
the six-state protocol that fully utilizes the accurate 
channel estimation method. A consequence of our result 
is that we should not discard mismatched measurement 
outcomes in the QKD protocols; those measurement out- 
comes can be used to estimate the channel accurately, 
and increase key rates. 

There is a problem that was not treated in this paper. 
Although we only treated asymptotically secure key rate 
in this paper, the final goal is the non-asymptotic anal- 
ysis of eavesdropper's information, i.e., evaluate eaves- 
dropper's information as a function of the length of the 
raw key, the key rate, and the length of sample bits as in 
literatures 0, H Hi, [H, [13, IH, tHl, [e^ . This topic is a 
future research agenda. 
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where p'^^ := Yl,x&^2\\^)'\A ® ^'e^V)'\^\) foi' chan- 
nel E'^ to all the environment of and 
^xe¥2 ® ^silAiA) channel £^ to all the en- 

vironment of Eg and for r G {1,2}. 

Proof. For r = 1 and 2, let 'ip'^g^ be a purification of 
the Choi matrix := (id (K) £g){ip)- Then the density 
matrix PxE derived by Alice's measurement by z-basis 
and the partial trace over Bob's system, i.e.. 



PXE 



Tr, 



J2i\x){x\®I)rABEi\x){A®I) 



(Al) 



Let 



WaBEh) ■■= ^l^ABEm + VT^HiBEm 

be a purification of := {id^£'g){ip), where Hr is the 
reference system, and {|1), |2)} is an orthonormal basis 
of Hr. Let 



p'xER Tr_B 

and let 

PXER ■ = 



Y.{\x){x\®I)i^'^SER{\x){x\®I) (A2) 



E {I®\r){r\)p'xER{I®\r){r\) 
APXB® |l)(l| + (l-A)p|£;®|2)(2| 



be the density matrix such that the system T-Lr is mea- 
sured by {|1), |2)} basis. Then we have 

Hp,(X\ER) 
= H{X)-Ip,{X-ER) 
< H{X)~Ip.{X-ER) 
= Hp.{X\ER) 

= XHpi{X\E) + {l-X)Hp2{X\E), 

where the inequality follows from the monotonicity of 
the quantum mutual information for measurements (data 
processing inequality) (6l| . By renaming the systems ER 
to E, we have the assertion of the lemma. □ 



APPENDIX A: CONVEXITY OF EVE'S 
AMBIGUITY 

In this appendix, we show a lemma that will be used 
in the rest of the appendices. 

Lemma 2 For two channels £]j and and a proba- 
bilistically mixed channel S'g := X£]^ + (1 — A)£^, Eve's 
ambiguity is convex, i.e., we have 

Hp,{X\E) < XHpi{X\E) + (1 - X)Hp2{X\E), 



Remark 11 By switching the role of Alice and Bob, we 
can show that the assertion in Lemma[2]and thus Propo- 
sition [T] hold for the reverse reconciliation. Furthermore, 
the statements also hold for the information reconcilia- 
tion and the privacy amplification with A:-block-wise two- 
way processing ,23o i28j (including one-way noisy prepro- 
cessing [13, [3)- More precisely, let NxkY^^uv be the 
TPCP map that represents a two-way processing. Then 
for the density matrix 

PUVE'' (-^x''F'=-»(7V ® 
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we can obtain the inequality 

Hp,{U\VE'') < \Hpi{U\VE^) + (1 - \)Hp2{U\VE^). 

The modifications of the proof is to replace iPabe ^^'^ 
^'aber with {VABEr" and (V-^isiJi?)^' in Eqs. m and 
(|A2p . to replace the partial trace over Bob's system with 
Bob's measurement, to append a map Mx''Y''-tUVj and 
to replace the measurement on the system Tin with the 
measurements on Ti^''. 

APPENDIX B: PROOF OF PROPOSITION [l] 

The statement of the Proposition [T] easily follows from 
Lemma [2] For any channel £b, let £b be the channel 
whose Choi matrix is the complex conjugate of that for 
£b- Note that eigenvalues of density matrices are un- 
changed by the complex conjugate, and thus Eve's ambi- 
guity Hp{X\E) for £b equals to Hp{X\E). By applying 
Lemma [5] for ~ £b, £% ^ ^b, and A = i, we have 



Hp' < ^HpiX\E) + -Hp{X\E), 

where = \pab + \pab- Note that is a real 
density matrix whose entries are equal to the real compo- 
nents of jOAB, which implies that the parameters i?zy, i?xy, 
Ryzi Ryx, and iy, are by Eq. p^ . Since the channel £b 
was arbitrary, we have the assertion of the proposition. 
□ 



APPENDIX C: PROOF OF LEMMA [T] 

Since the conditional entropy is a continuous function, 
the following statement is suffice for proving that F{uj) 
is continuous function at any ujo (z V, where V is the set 
of all uj such that P{uj) is not empty. For any ui £ V such 
that Ijai — woll < £■ there exist e' ,e" > such that 



Viu) c 6s'(^(t^o)), 



(CI) 
(C2) 



and e' and e" converge to as e goes to 0, where 
Be'iViuJo)) is the e'-neighbor of the set V{ujo)- 

Define the set Q := {(w,i?yy) \ w G r,Ryy E V{uj)}, 
which is a closed convex set. Define functions 



U{uj) 
L{u;) 



:~ max i?y 
:= min Ry 



as the upper surface and the lower surface of the set Q re- 
spectively. Then U{uj) and L{uj) are concave and convex 
functions respectively, because Q is a convex set. Thus 
U{uj) and L{uj) are continuous functions except the ex- 
treme points of V. For any extreme point to' and for 
any interior point lo, we have U{uj) > U{u}') and L{u)) < 



L{uj'), because Q is a convex set. Since Q is a closed 
set, we have Ihn^^^i U{uj) S 'P{uj') and Ymi^^^i L(uj) £ 
V{uj'), which implies that U{uj') — \im^^^iU{u)) and 
L{u}') = Ymii^^^^i L(uj). Thus U{uj) and L{uj) are also 
continuous at the extreme points. Since V{uj) is a con- 
vex set, the continuity of U{lj) and L{lj) implies that 
Eqs. (|UT|) and ((C2)) hold for some e',e" > 0, and e' and 
e" converge to as e goes to 0. □ 



APPENDIX D: PROOF OF PROPOSITION [2] 

By Proposition [U it suffice to consider the channel £b 
of the form 



Rzz 


Rzx 











tz 


Rxz 


Rxx 







Ox 


+ 


tx 








i?yy _ 




Oy 








Define the channel £b{q) 
mixed channel £'^ 
is given by 



\£b 



= Cry(fs((TyglfTy))(Ty aud thC 

\£b- Since the channel £g 



Rzz 


Rzx 











-tz 


Rxz 


Rxx 







Ox 


+ 


-tx 








i?yy _ 




Oy 








£'g is a unital channel and the matrix part oi £b and £'g 
are the same. Furthermore, since Hp{X\E) for £b equals 
to Hp- {X\E) for by using Lemma [2l we have 

Hp{X\E)>Hp,{X\E). 

The rest of the proof is to calculate the minimization 
of Hpi{X\E) with respect to i?yy. By the singular value 
decomposition, we can decompose the matrix R' corre- 
sponding to the channel £'g as 



(iz 
dx 
i?, 



yy 



where Oi and O2 are some rotation matrices within z — 
x-planc, and |c?z| and \dy\ are the singular value of the 
matrix in Eq. (|15p . Then, we have 

uAnHp,{X\E) 



= mm 

Ryy 



l-Hip'AB)+J2 lHi£'si\x){x\)) 

l + ^Rl + Wz 



1 - maxiJ[9i,gz,gx,gy] 



1 + VRl + Wz 



where {q\, (7zi 9xj ^y) are the eigenvalues of the Choi matrix 

p'^g. By noting that q\ + qz ^ and q\ + q^ ^ 

(see Section flVBI) . we have assertion of the proposition, 
n 



□ 
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APPENDIX E: CONVEX OPTIMIZATION 

111 this appendix, we briefly explain how to apply a 
convex optimization method, the interior-point method, 
to the channel estimation in the BB84 protocol. In a 
similar manner, we can apply the interior-point method 
to the channel estimation in the six-state protocol. For 
more detail, see the textbook [4ll, Section 11.6]. 

First, we define a generalized inequality. Since the set 
K C R'*^'' of (real) semi-definite matrices is a proper cone 
(see (ill, Section 2.4.1] for the definition of the proper 
cone), we can define a generalized inequality <k as 

M <K N <=> N- M e K. 

For a given parameter (w, i?yy) <E M^, we define the real 



matrix p(a;, i?yy) € R**^^ by using the relation in Eq. (|12p . 
where we set other parameters {Rzy, Rxy, Ryz, Ryx,ty) to 
be all 0. Then, the function p : 'EJ ^ R-^""^ is a K- 
concave function (see [4l|, Section 3.6.2] for the definition 
of the /C-concave function). 

We can formulate our optimization problem as follows: 

minimize 1 1 a) — ti) | p 
subject to /5(tD, i?yy) 0, 

TrB[p(a),i?yy)] = /, 

where || • |p is the square Euclidean norm, which is a con- 
vex function, and / is the 2x2 identity matrix. This 
optimization problem can be solved by the interior-point 
method. Note that we can use logdet p(a), i?yy) as a log- 
arithmic barrier function (see [4l|, Example 11.7]). 
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